Who are The Lazarus Group?

If you’ve looked beyond the headlines of recent cyber-attacks, you might have seen or heard of or about something called “Lazarus” or “The Lazarus Group”.

Here’s a quick rundown of everything you need to know about them, or at least what we know about them based on publicly released research by cybersecurity giants McAfee, Symantec and Kaspersky.

Who are the Lazarus Group?

The Lazarus Group are a group of cyber-criminals that some security experts believe are native to, or at-least based out of, North Korea. Some organizations have even taken this a step further and accused the group of being a state-backed one. However, others are more skeptical about this detail.

Speaking to Phys.org in 2014, James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, insisted that "There is no conclusive evidence that Lazarus is state-sponsored.”

What have they been responsible for?

The Lazarus Group have been responsible for some of the biggest cyberattacks in recent history. They are believed to have been responsible for 2014’s Sony hack and they’re also believed to be connected to the theft of US$81 million from the Central Bank of Bangladesh in 2016.

According to Symantec, they may well have also been responsible for last year’s Wannacry ransomware outbreak.

In a recent security report, Symantec noted that “aside from commonalities in the tools used to spread WannaCry, there are also a number of links between WannaCry itself and Lazarus.” They say that WannaCry “shares some code with Backdoor.Contopee, malware that has previously been linked to Lazarus” and that “ One variant of Contopee uses a custom SSL implementation, with an identical cipher suite, which is also used by WannaCry.”

A timeline of recent Lazarus activity assembled by Kaspersky can be seen below.

Credit: Kaspersky

Will they strike again?

Almost certainly.

“We’re sure they’ll come back soon. In all, attacks like the ones conducted by Lazarus group show that a minor misconfiguration may result in a major security breach, which can potentially cost a targeted business hundreds of millions of dollars in loss. We hope that chief executives from banks, casinos and investment companies around the world will become wary of the name Lazarus,” said Vitaly Kamluk, Head of Global Research and Analysis Team APAC at Kaspersky Lab.

According to a recent research report by McAfee, the group is said to be pivoting towards mobile-driven malware. In 2017, they wrote that “The McAfee Mobile Research team has identified a new threat—Android malware that poses as a legitimate app available from Google Play and targets South Korean users—that suggests a deviation from the traditional playbook.”

“An analysis of campaign code, infrastructure, and tactics and procedures suggests the Lazarus group is responsible, as they evolve their attack tactics to now operate within the mobile platform. And although the debate regarding attribution of attacks will always rage, documenting evolving tactics by threat actor groups allows organizations and consumers to adapt their defenses accordingly.”

They go on to say that “evolving attacks onto the mobile platform are likely to continue, and this appears to be the first example of the Lazarus group using mobile. Such a change, therefore, is significant, demonstrating that criminals are keeping up with platform popularity”

Credit: Samorn Tarapan | Dreamstime.com